diff options
| author | Manish Pandey <manish.pandey2@arm.com> | 2019-05-07 16:02:56 +0100 |
|---|---|---|
| committer | Tushar Khandelwal <tushar.khandelwal@arm.com> | 2019-09-04 11:08:17 +0100 |
| commit | cef5813277019f6db7c022e13fc2f40e75138247 (patch) | |
| tree | 6053abfb27f7898a1f2af409148ba6bcfad42e8b | |
| parent | 71f63b8e44e0312aaadf7658d7f26d00d1d9dc1c (diff) | |
add Firewall IP support and program boot processor firewall.
Corstone-700 has two Firewall IP's one with boot processor
and other in Host System, both will be programmed in boot
processor as it is root of trust.
This patch introduces Firewall module and also the programming
of SE Firewall translation of Host access regions.
Following four Host regions are currently accessed from SE
1. Boot Instruction Register
2. Shared RAM
3. Execute in Place(XIP) Flash
4. Host peripheral regions
Change-Id: Ice81cd119bddf3db9beca1cf6a12915b0e851479
Signed-off-by: Manish Pandey <manish.pandey2@arm.com>
| -rw-r--r-- | product/corstone-700/include/firewall.h | 171 | ||||
| -rw-r--r-- | product/corstone-700/include/se_mmap.h | 2 | ||||
| -rw-r--r-- | product/corstone-700/include/se_system_mmap.h | 18 | ||||
| -rw-r--r-- | product/corstone-700/module/firewall/include/mod_firewall.h | 20 | ||||
| -rw-r--r-- | product/corstone-700/module/firewall/src/Makefile | 10 | ||||
| -rwxr-xr-x | product/corstone-700/module/firewall/src/mod_firewall.c | 124 | ||||
| -rw-r--r-- | product/corstone-700/se_romfw/config_firewall.c | 18 | ||||
| -rw-r--r-- | product/corstone-700/se_romfw/firmware.mk | 2 |
8 files changed, 361 insertions, 4 deletions
diff --git a/product/corstone-700/include/firewall.h b/product/corstone-700/include/firewall.h new file mode 100644 index 0000000..eb7aed8 --- /dev/null +++ b/product/corstone-700/include/firewall.h @@ -0,0 +1,171 @@ +/* + * + * Copyright (c) 2019, Arm Limited and Contributors. All rights reserved. + * + * SPDX-License-Identifier: BSD-3-Clause + * + */ + +#ifndef SE_FW_H +#define SE_FW_H + +#include <stdint.h> +#include <se_mmap.h> + +/* + * The Firewall occupies up to 2MB of address space in total. + * Each Firewall Component is allocated 64KB so in total a Firewall + * can have maximum of 32 Components with first component being + * FW controller. + */ +#define FW_TOTAL_SIZE 0x200000 +#define FW_CMP_SIZE 0x10000 +#define MAX_FW_CMP 32 + +/* + * boot processor contains a dedicated Firewall having one FW controller + * and one FW component which allows boot processor access to the Host System address + * space. + */ +#define SE_FCTLR_BASE SE_FIREWALL_BASE +#define SE_FC1_BASE SE_FIREWALL_BASE + FW_CMP_SIZE + +/* + * Common Firewall Registers, present in both Controller and Components. + */ +#define LD_CTRL 0x010 +#define RGN_SCTRL0 0x020 +#define RGN_SCTRL1 0x024 +#define RGN_SCTRL2 0x028 +#define RGN_SCTRL3 0x02C +#define RGN_SCTRL4 0x030 +#define RGN_SCTRL5 0x034 +#define RGN_SCTRL6 0x038 +#define RGN_SCTRL7 0x03C +#define RGN_SST0 0x040 +#define RGN_SST1 0x044 +#define RGN_SST2 0x048 +#define RGN_SST3 0x04C +#define RGN_SST4 0x050 +#define RGN_SST5 0x054 +#define RGN_SST6 0x058 +#define RGN_SST7 0x05C +#define FC_SCTRL 0x060 +#define FC_SST 0x064 +#define PE_CTRL 0x100 +#define PE_ST 0x104 +#define PE_BPS 0x108 +#define RWE_CTRL 0x10C +#define RGN_CTRL0 0x110 +#define RGN_CTRL1 0x114 +#define RGN_LCTRL 0x118 +#define RGN_ST 0x11C +#define RGN_CFG0 0x120 +#define RGN_CFG1 0x124 +#define RGN_SIZE 0x128 +#define RGN_TCFG0 0x130 +#define RGN_TCFG1 0x134 +#define RGN_TCFG2 0x138 +#define RGN_MID0 0x140 +#define RGN_MPL0 0x144 +#define RGN_MID1 0x148 +#define RGN_MPL1 0x14C +#define RGN_MID2 0x150 +#define RGN_MPL2 0x154 +#define RGN_MID3 0x158 +#define RGN_MPL3 0x15C +#define FE_TAL 0x180 +#define FE_TAU 0x184 +#define FE_TP 0x188 +#define FE_MID 0x18C +#define FE_CTRL 0x190 +#define ME_CTRL 0x200 +#define ME_ST 0x204 +#define EDR_TAL 0x260 +#define EDR_TAU 0x264 +#define EDR_TP 0x268 +#define EDR_MID 0x26C +#define EDR_CTRL 0x270 +/* Capability registers */ +#define FC_CAP0 0xFA0 +#define FC_CAP1 0xFA4 +#define FC_CAP2 0xFA8 +#define FC_CAP3 0xFAC +/* Configuration registers */ +#define FC_CFG0 0xFB0 +#define FC_CFG1 0xFB4 +#define FC_CFG2 0xFB8 +#define FC_CFG3 0xFBC + +/* + * Firewall Controller only Registers. + */ +#define FW_CTRL 0x000 +#define FW_ST 0x004 +#define FW_SR_CTRL 0x00C +#define FW_INT_ST 0xD90 +#define FW_TMP_TA 0xE90 +#define FW_TMP_TP 0xE98 +#define FW_TMP_MID 0xE9C +#define FW_TMP_CTRL 0xEA0 +#define IIDR 0xFC8 +#define AIDR 0xFCC +#define FC0_INT_ST 0xD00 +#define FC0_INT_MSK 0xE00 +#define FC_INT_ST(x) FC0_INT_ST+x*4 +#define FC_INT_MSK(x) FC0_INT_MSK+x*4 + +/* + * Generic Macros + */ +#define ENABLE 0x1 +#define DISABLE 0x0 +#define PE_ENABLE ENABLE << 31 +#define ADDR_TRANS_ENABLE ENABLE << 17 +#define RGN_SIZE_4KB 0x0C +#define RGN_SIZE_32MB 0x19 +#define RGN_SIZE_128MB 0x1B + + +/* + * Host access regions view from boot processor + */ +enum se_firewall_regions { + DEFAULT_REGION = 0, + HOST_BIR_REGION, + SHARED_RAM_REGION, + XIP_FLASH_REGION, + HOST_PERIPHERAL_REGION, + DRAM_REGION, + NUM_REGIONS +}; + +/* + * Region Master Permission List + * S: Secure, N: Non-secure + * P: Privileged, U: Unprivileged + * R: Read, W: Write, X: Execute + */ +#define ANY_MST ENABLE << 12 +#define SPX ENABLE << 11 +#define SPW ENABLE << 10 +#define SPR ENABLE << 9 +#define SUX ENABLE << 8 +#define SUW ENABLE << 7 +#define SUR ENABLE << 6 +#define NSPX ENABLE << 5 +#define NSPW ENABLE << 4 +#define NSPR ENABLE << 3 +#define NSUX ENABLE << 2 +#define NSUW ENABLE << 1 +#define NSUR ENABLE << 0 + +/* + * Master Permission Enable + */ +#define MPE3_EN ENABLE << 4 +#define MPE2_EN ENABLE << 3 +#define MPE1_EN ENABLE << 2 +#define MPE0_EN ENABLE << 1 + +#endif /* SE_FW_H */ diff --git a/product/corstone-700/include/se_mmap.h b/product/corstone-700/include/se_mmap.h index 33cca9d..57429b1 100644 --- a/product/corstone-700/include/se_mmap.h +++ b/product/corstone-700/include/se_mmap.h @@ -31,4 +31,6 @@ #define HOST_SYS_RST_CTRL (SE_BASE_SYS_CTRL + 0x0) #define BOOT_INST_REGISTER (SE_HOST_ACCESS + 0x0) +#define SE_FIREWALL_BASE (SE_PERIPHERAL_BASE + 0x200000) + #endif /* SE_MMAP_H */ diff --git a/product/corstone-700/include/se_system_mmap.h b/product/corstone-700/include/se_system_mmap.h index 1df8078..68cec01 100644 --- a/product/corstone-700/include/se_system_mmap.h +++ b/product/corstone-700/include/se_system_mmap.h @@ -13,11 +13,21 @@ /*Memory*/ #define SE_ROM_BASE 0x00000000 #define SE_RAM_BASE 0x30000000 -#define SE_HOST_ACCESS 0x60000000 + #define SE_PERIPHERAL_BASE 0x50000000 + +/* Host access regions from boot processor view */ +#define SE_HOST_ACCESS 0x60000000 +#define HOST_BIR_BASE 0x00000000 #define HOST_SHARED_RAM_BASE 0x02000000 -#define SE_FLASH_BASE (SE_HOST_ACCESS + 0x8000000) +#define HOST_FLASH_BASE 0x08000000 +#define HOST_DRAM_BASE 0x80000000 +#define HOST_PERIPHERAL_BASE 0x1A000000 +#define SE_BIR_BASE (SE_HOST_ACCESS + HOST_BIR_BASE) #define SE_SHARED_RAM_ACCESS (SE_HOST_ACCESS + HOST_SHARED_RAM_BASE) +#define SE_FLASH_BASE (SE_HOST_ACCESS + HOST_FLASH_BASE) +#define SE_DRAM_BASE (SE_HOST_ACCESS + HOST_DRAM_BASE) +#define SE_HOST_PERIPHERAL_BASE (SE_HOST_ACCESS + HOST_PERIPHERAL_BASE) /*Image offsets*/ @@ -26,7 +36,7 @@ #define HOST_DTB_BASE (SE_SHARED_RAM_ACCESS + 0x800000) #define ROOTFS_SRAM_BASE (SE_SHARED_RAM_ACCESS + 0xa00000) -#define SE_ROM_SIZE (32 * 1024) -#define SE_RAM_SIZE (128 * 1024) +#define SE_ROM_SIZE (32 * 1024) +#define SE_RAM_SIZE (128 * 1024) #endif diff --git a/product/corstone-700/module/firewall/include/mod_firewall.h b/product/corstone-700/module/firewall/include/mod_firewall.h new file mode 100644 index 0000000..a666612 --- /dev/null +++ b/product/corstone-700/module/firewall/include/mod_firewall.h @@ -0,0 +1,20 @@ +/* + * + * Copyright (c) 2019, Arm Limited and Contributors. All rights reserved. + * + * SPDX-License-Identifier: BSD-3-Clause + * + */ + +#ifndef MOD_SE_FIREWALL_H +#define MOD_SE_FIREWALL_H + +#include <stddef.h> +#include <stdint.h> +#include <fwk_id.h> +#include <firewall.h> + +struct firewall_config { + const uintptr_t se_firewall_base; +}; +#endif /* MOD_SE_FIREWALL_H */ diff --git a/product/corstone-700/module/firewall/src/Makefile b/product/corstone-700/module/firewall/src/Makefile new file mode 100644 index 0000000..7badf24 --- /dev/null +++ b/product/corstone-700/module/firewall/src/Makefile @@ -0,0 +1,10 @@ +# +# Copyright (c) 2019, Arm Limited and Contributors. All rights reserved. +# +# SPDX-License-Identifier: BSD-3-Clause +# + +BS_LIB_NAME := FIREWALL +BS_LIB_SOURCES = mod_firewall.c + +include $(BS_DIR)/lib.mk diff --git a/product/corstone-700/module/firewall/src/mod_firewall.c b/product/corstone-700/module/firewall/src/mod_firewall.c new file mode 100755 index 0000000..12ed384 --- /dev/null +++ b/product/corstone-700/module/firewall/src/mod_firewall.c @@ -0,0 +1,124 @@ +/* + * + * Copyright (c) 2019, Arm Limited and Contributors. All rights reserved. + * + * SPDX-License-Identifier: BSD-3-Clause + * + */ + +#include <string.h> +#include <assert.h> +#include <fwk_errno.h> +#include <fwk_id.h> +#include <fwk_module.h> +#include <fwk_interrupt.h> +#include <fwk_module_idx.h> +#include <fwk_mm.h> +#include <mod_log.h> +#include <se_system_mmap.h> +#include <mod_firewall.h> + +/* + * boot processor Firewall programming. + * The Host Access Region is a 2GB region starting at 0x6000_0000. + * It allows the boot processor access to the Host System address + * space, all access pass through Secure enclave firewall having + * translation extension programmed. + * Four host regions are currently accessed by boot processor namely + * Boot Instruction Register, Shared RAM, XIP Flash and Host + * Peripheral regions. + */ +static int se_firewall_setup() +{ + volatile uint32_t *pe_ctrl = (uint32_t *)(SE_FC1_BASE+PE_CTRL); + volatile uint32_t *rwe_ctrl = (uint32_t *)(SE_FC1_BASE+RWE_CTRL); + volatile uint32_t *rgn_size = (uint32_t *)(SE_FC1_BASE+RGN_SIZE); + volatile uint32_t *rgn_cfg0 = (uint32_t *)(SE_FC1_BASE+RGN_CFG0); + volatile uint32_t *rgn_tcfg0 = (uint32_t *)(SE_FC1_BASE+RGN_TCFG0); + volatile uint32_t *rgn_tcfg2 = (uint32_t *)(SE_FC1_BASE+RGN_TCFG2); + volatile uint32_t *rgn_mpl0 = (uint32_t *)(SE_FC1_BASE+RGN_MPL0); + volatile uint32_t *rgn_ctrl1 = (uint32_t *)(SE_FC1_BASE+RGN_CTRL1); + volatile uint32_t *rgn_ctrl0 = (uint32_t *)(SE_FC1_BASE+RGN_CTRL0); + + /* + * Region Programming Sequence + * -Select The correct region using RWE_CTRL + * -Program region Base address using RGN_CFG{0,1} + * -Program Region size using RGN_TCFG{0,1} + * -Enable Translation properties using RGN_TCFG2 + * -Program the required Permission entries RGN_MPL + * -Enable the required master permission entries using RGN_CTRL1 + * -Enable the region using RGN_CTRL1 + */ + + /* Enable PE_CTRL */ + *pe_ctrl = PE_ENABLE | *pe_ctrl; + + /* Boot Instruction Register region: 4KB */ + *rwe_ctrl = HOST_BIR_REGION; + *rgn_ctrl0 = DISABLE; + *rgn_size = RGN_SIZE_4KB; + *rgn_cfg0 = SE_HOST_ACCESS; + *rgn_tcfg0 = HOST_BIR_BASE; + *rgn_tcfg2 = ADDR_TRANS_ENABLE | *rgn_tcfg2; + *rgn_mpl0 = ANY_MST | SPX | SPW | SPR | SUX | SUW | SUR \ + | NSPX | NSPW | NSPR | NSUX | NSUW | NSUR; + *rgn_ctrl1 = MPE0_EN; + *rgn_ctrl0 = ENABLE; + + /* Shared RAM region: 32MB */ + *rwe_ctrl = SHARED_RAM_REGION; + *rgn_ctrl0 = DISABLE; + *rgn_size = RGN_SIZE_32MB; + *rgn_cfg0 = SE_SHARED_RAM_ACCESS; + *rgn_tcfg0 = HOST_SHARED_RAM_BASE; + *rgn_tcfg2 = ADDR_TRANS_ENABLE | *rgn_tcfg2; + *rgn_mpl0 = ANY_MST | SPX | SPW | SPR | SUX | SUW | SUR \ + | NSPX | NSPW | NSPR | NSUX | NSUW | NSUR; + *rgn_ctrl1 = MPE0_EN; + *rgn_ctrl0 = ENABLE; + + /* Execute in place(XIP) Flash region: 128MB */ + *rwe_ctrl = XIP_FLASH_REGION; + *rgn_ctrl0 = DISABLE; + *rgn_size = RGN_SIZE_128MB; + *rgn_cfg0 = SE_FLASH_BASE; + *rgn_tcfg0 = HOST_FLASH_BASE; + *rgn_tcfg2 = ADDR_TRANS_ENABLE | *rgn_tcfg2; + *rgn_mpl0 = ANY_MST | SPX | SPW | SPR | SUX | SUW | SUR \ + | NSPX | NSPW | NSPR | NSUX | NSUW | NSUR; + *rgn_ctrl1 = MPE0_EN; + *rgn_ctrl0 = ENABLE; + + /* Host peripherals region: 128MB */ + *rwe_ctrl = HOST_PERIPHERAL_REGION; + *rgn_ctrl0 = DISABLE; + *rgn_size = RGN_SIZE_128MB; + *rgn_cfg0 = SE_HOST_PERIPHERAL_BASE; + *rgn_tcfg0 = HOST_PERIPHERAL_BASE; + *rgn_tcfg2 = ADDR_TRANS_ENABLE | *rgn_tcfg2; + *rgn_mpl0 = ANY_MST | SPX | SPW | SPR | SUX | SUW | SUR \ + | NSPX | NSPW | NSPR | NSUX | NSUW | NSUR; + *rgn_ctrl1 = MPE0_EN; + *rgn_ctrl0 = ENABLE; + + *rwe_ctrl = DEFAULT_REGION; + *rgn_ctrl0 = ENABLE; + + return FWK_SUCCESS; +} + +static int firewall_init( + fwk_id_t module_id, + unsigned int element_count, + const void *data) +{ + se_firewall_setup(); + return FWK_SUCCESS; +} + +const struct fwk_module module_firewall = { + .name = "firewall", + .type = FWK_MODULE_TYPE_SERVICE, + .init = firewall_init, +}; diff --git a/product/corstone-700/se_romfw/config_firewall.c b/product/corstone-700/se_romfw/config_firewall.c new file mode 100644 index 0000000..0d10bb0 --- /dev/null +++ b/product/corstone-700/se_romfw/config_firewall.c @@ -0,0 +1,18 @@ +/* + * + * Copyright (c) 2019, Arm Limited and Contributors. All rights reserved. + * + * SPDX-License-Identifier: BSD-3-Clause + * + */ + +#include <fwk_module.h> +#include <se_system_mmap.h> +#include <se_mmap.h> +#include <mod_firewall.h> + +const struct fwk_module_config config_firewall = { + .data = &((struct firewall_config) { + .se_firewall_base = SE_FIREWALL_BASE, + }) +}; diff --git a/product/corstone-700/se_romfw/firmware.mk b/product/corstone-700/se_romfw/firmware.mk index 6716114..9b6618d 100644 --- a/product/corstone-700/se_romfw/firmware.mk +++ b/product/corstone-700/se_romfw/firmware.mk @@ -13,11 +13,13 @@ BS_FIRMWARE_MODULE_HEADERS_ONLY := \ BS_FIRMWARE_MODULES := \ pl011 \ log \ + firewall \ spitoc_parser \ ramfw_loader BS_FIRMWARE_SOURCES := \ config_log.c \ + config_firewall.c \ config_spitoc_parser.c \ config_ramfw_loader.c |